Patch Tuesday March 2021 Edition…Exchange Exploits Escalate
By Randy Becker, CISO & VP, Network and Security Consulting
As if the SolarWinds fiasco and the massive global on-premises Exchange Servers attack weren’t bad enough, here comes Microsoft Patch Tuesday for March 2021.
Microsoft Patch Tuesday announces 82 vulnerabilities, with 10 plus classified as critical, 1 zero-day exploit, and 72 as important. These have all be fixed in this month’s update courtesy of Microsoft. Of special note, these numbers do not include the 7 Microsoft Exchange and 33 Chromium Edge vulnerabilities already released.
If you have an on-premises Exchange Server, you must apply the updates from Microsoft immediately. You can find the installation instructions here. The Exchange Server team has also created a script to run a check for HAFNIUM IOCs. That script is available here.
Estimates of 30,000+ victims in the U.S. alone
While the Microsoft Security Response Center (MSRC) website has a thorough update guide on the 82 new vulnerabilities, the bigger problem right now is the alarming number of Microsoft on-premises Exchange Servers being compromised with these “Web Shell” scripts that, once installed, provide a backdoor that gives threat actors full access to the impacted systems, remote control, the ability to read email, and the ability to move latterly within an environment with the potential to exploit other systems. There are estimates that this might exceed 30,000 victims in the U.S. and potentially hundreds of thousands worldwide.
What can you do right now to protect your organization?
- Ensure you have immutable backups of all systems; that way if the worst happens you have a method of recovering.
- If you have an on-premises Microsoft Exchange Server, regardless of whether it’s exposed to the Internet, patch it!
- After you are done patching, ensure that you validate that the server is patched with the Microsoft Tools.
- Assume that if your Exchange Server was connected to the Internet it was compromised; “Assume the Breach.”
- Run the Test-ProxyLogon.ps1 to see if the server was compromised and has Web Shells or other malicious code installed.
- If the server was compromised, you should treat this as an Incident Response (IR) play and start your IR plan.
- If you do not have an IR plan you should create one and test it with a tabletop exercise.
So, what comes next? This is a very good question.
While we can only speculate, here are some thoughts based on previous experience. Security consulting organizations such as GreenPages have notified and assisted customers with getting Exchange Servers patched and determining if any systems have been compromised. I do, however, expect more ransomware, cyberespionage, and data exfiltration events to occur similar to what we have seen over the last year.
Simply put, the drumbeat is constant and the threats are real and dangerous; this is no time to be complacent. As we continue to field calls from organizations looking for assistance, it’s clear that even the smartest security teams need help to remain vigilant.
If you would like strategic direction to strengthen your security stance, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us!